[Openstack] DVR and public IP consumption

Tomas Vondra vondra at czech-itc.cz
Wed Jan 20 17:03:30 UTC 2016 

James Denton <james.denton at ...> writes:

> 
> 
> 
> Hi,
> 
> >> You cannot get around each tenant gateway router consuming an extra
public IP address itself as far as I know.
> 
> Almost. With DVR, a FIP namespace is created on compute nodes, with one
FIP namespace per external network. The FIP namespace owns an IP address
from the external provider network, and all tenant routers connected to the
same external network on the same
>  node connect to the respective FIP namespace via veth pair. It is
possible that all compute nodes could each have a FIP namespace connected to
the same external network, which would certainly reduce the number of IPs
available, but it beats having to give
>  each tenant router an IP. There is some NAT/routing/Proxy ARP magic that
goes into making this config work. Assaf’s blog is a great resource for that
info.
> 
> James

Very well, I don't really understand the point for taking a public address
on the compute node for the FIP namespace, when the Floating IPs are created
in the QROUTER namespaces and these are bridged to the real network using
OpenVSwitch. But I can live with that.

But anyway - my router entries in "neutron router-list" look like this:
id | name| external_gateway_info | distributed | ha
ba8c8b17-5649-474b-ac81-4960c2358611 | admin-router  | {"network_id":
"5e9b25cf-ee67-48ac-be9b-79cd274fd25d", "enable_snat": true,
"external_fixed_ips": [{"subnet_id": "9ff34ad0-dfa2-44df-99b4-dc1a97bdb603",
"ip_address": "< X.X.X.X public IP>"}]} | True | False

the public IP is a pingable IP that resides on the network node in a SNAT
namespace. There is one such namespace per virtual router. Is there any
magic to reduce the number of these?
Vondra

> 
> 
> 
> From: Tom Verdaat <tom <at> server.biz>Date: Wednesday, January 20, 2016
at 9:02 AMTo: "openstack <at> lists.openstack.org" <openstack <at>
lists.openstack.org>Subject: Re: [Openstack] DVR and public IP consumption
> 
> 
> 
> 
> 
> 
> Hi Tomas,
> 
> Actually the networking nodes, and in a DVR scenario the compute nodes,
don't need a public IP assigned to the node itself. All they need is a
networking interface connected to the "public" network. Only tenant routers
set as a gateway consume one public IP
>  address each as overhead. You cannot get around each tenant gateway
router consuming an extra public IP address itself as far as I know.
> 
> Does that answer your question?
> 
> Cheers,
> 
> Tom
> 
> 
> 
> 
> 
> 2016-01-20 13:48 GMT+01:00 Tomas Vondra 
> <vondra <at> czech-itc.cz>:
> Hi!
> I have just deployed an OpenStack Kilo installation with DVR and expected
> that it will consume one Public IP per network node as
perhttp://assafmuller.com/2015/04/15/distributed-virtual-routing-floating-ips/,
> but it still eats one per virtual Router.
> What is the correct behavior?
> Otherwise, it works as a DVR should according to documentation. There are
> router namespaces at both compute and network nodes, snat namespaces at the
> network nodes and fip namespaces at the compute nodes. Every router has a
> router_interface_distributed and a router_centralized_snat with private IPs,
> however the router_gateway has a public IP, which I would like to getr id of
> to increase density.
> Thanks
> _______________________________________________
> Mailing list: 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack <at> lists.openstack.org
> Unsubscribe : 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> <div>
> <div>
> <div>Hi,</div>
> <div><br></div>
> <div>>> You cannot get around each tenant gateway router consuming
an extra public IP address itself as far as I know.</div>
> <div><br></div>
> <div>Almost. With DVR, a FIP namespace is created on compute nodes, with
one FIP namespace per external network. The FIP namespace owns an IP address
from the external provider network, and all tenant routers connected to the
same external network on the same
>  node connect to the respective FIP namespace via veth pair. It is
possible that all compute nodes could each have a FIP namespace connected to
the same external network, which would certainly reduce the number of IPs
available, but it beats having to give
>  each tenant router an IP. There is some NAT/routing/Proxy ARP magic that
goes into making this config work. Assaf’s blog is a great resource
for that info.</div>
> <div><br></div>
> <div>James</div>
> </div>
> <div><br></div>
> <span>
> <div>
> <span>From: </span>Tom Verdaat <<a href="mailto:tom <at>
server.biz">tom <at> server.biz</a>><br><span>Date: </span>Wednesday,
January 20, 2016 at 9:02 AM<br><span>To: </span>"<a href="mailto:openstack
<at> lists.openstack.org">openstack <at> lists.openstack.org</a>" <<a
href="mailto:openstack <at> lists.openstack.org">openstack <at>
lists.openstack.org</a>><br><span>Subject: </span>Re: [Openstack] DVR and
public IP consumption<br>
> </div>
> <div><br></div>
> <div>
> <div>
> <div dir="ltr">
> <div>
> <div>Hi Tomas,<br><br>
> </div>
> Actually the networking nodes, and in a DVR scenario the compute nodes,
don't need a public IP assigned to the node itself. All they need is a
networking interface connected to the "public" network. Only tenant routers
set as a gateway consume one public IP
>  address each as overhead. You cannot get around each tenant gateway
router consuming an extra public IP address itself as far as I know.<br><br>
> </div>
> <div>Does that answer your question?<br><br>
> </div>
> <div>Cheers,<br><br>
> </div>
> <div>Tom<br>
> </div>
> <div>
> <div>
> <br><div>
> <div class="gmail_extra">
> <br><div class="gmail_quote">2016-01-20 13:48 GMT+01:00 Tomas Vondra <span
dir="ltr">
> <<a href="mailto:vondra <at> czech-itc.cz" target="_blank">vondra <at>
czech-itc.cz</a>></span>:<br><blockquote class="gmail_quote">
> Hi!<br>
> I have just deployed an OpenStack Kilo installation with DVR and expected<br>
> that it will consume one Public IP per network node as per<br><a
href="http://assafmuller.com/2015/04/15/distributed-virtual-routing-floating-ips/"
rel="noreferrer"
target="_blank">http://assafmuller.com/2015/04/15/distributed-virtual-routing-floating-ips/</a>,<br>
> but it still eats one per virtual Router.<br>
> What is the correct behavior?<br>
> Otherwise, it works as a DVR should according to documentation. There are<br>
> router namespaces at both compute and network nodes, snat namespaces at
the<br>
> network nodes and fip namespaces at the compute nodes. Every router has a<br>
> router_interface_distributed and a router_centralized_snat with private
IPs,<br>
> however the router_gateway has a public IP, which I would like to getr id
of<br>
> to increase density.<br>
> Thanks<br><br><br>
> _______________________________________________<br>
> Mailing list: <a
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack"
rel="noreferrer" target="_blank">
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> Post to     : <a href="mailto:openstack <at>
lists.openstack.org">openstack <at> lists.openstack.org</a><br>
> Unsubscribe : <a
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack"
rel="noreferrer" target="_blank">
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> </blockquote>
> </div>
> <br>
> </div>
> </div>
> </div>
> </div>
> </div>
> </div>
> </div>
> </span>
> </div>
>

More information about the Openstack mailing list